|
-
Nov 8th, 2005, 11:51 PM
#1
Thread Starter
Frenzied Member
Getting Business
So here's my question.... I'm a Software Developer and Security Consultant. I specialize in web based application security, SQL Injection, XSS, etc...
I have found numerous web development companies around my area that have created data driven websites or web based applications for their customers. About 75% of these websites/applications they are creating have severe vulnerabilities. Vulnerabilities that can allow a hacker to steal their data, take control of their server, corrupt/delete their data, etc...
being in my shoes how would/could you approach these companies, inform them of their issues and offer your services?
Note: I've broken no laws, crossed no unethical lines in determining these vulnerabilities. I just did some simple tests to determine if any vulnerabilities existed.
I did email one of the companies informing them of their vulnerabilities. I didn't offer my services, but I definitely mentioned that I was a security consultant.
Last edited by Memnoch1207; Nov 8th, 2005 at 11:54 PM.
Being educated does not make you intelligent.
Need a weekend getaway??? Come Visit
-
Nov 9th, 2005, 12:06 AM
#2
Re: Getting Business
If you want serious answers perhaps you have to ask a moderator to a more appropriate section or add a serious tag in the title...
-
Nov 9th, 2005, 06:28 AM
#3
Hyperactive Member
Re: Getting Business
 Originally Posted by Memnoch1207
Note: I've broken no laws, crossed no unethical lines in determining these vulnerabilities.
Black mail them.
Combat poverty: kill a poor!!
-
Nov 9th, 2005, 08:28 AM
#4
Re: Getting Business
Maybe you could email the webmaster... inform them of the security holes.
tell them u are a security consultant and would love the chance to work for them to repair the problems... something along those lines.. dont give them specific details of what the issues are. (Thats only if they hire, or inquire about your services)
JPnyc rocks!! (Just ask him!)
If u have your answer please go to the thread tools and click "Mark Thread Resolved"
-
Nov 9th, 2005, 08:45 AM
#5
Lively Member
Re: Getting Business
 Originally Posted by Static
Maybe you could email the webmaster... inform them of the security holes.
tell them u are a security consultant and would love the chance to work for them to repair the problems... something along those lines.. dont give them specific details of what the issues are. (Thats only if they hire, or inquire about your services)
I would also suggest that you put some extra time into writing the email, making sure that it doesn't seem like spam generated by a program that just knows to substitute a general string like '[NAME]' to their first name.
And like static said, don't give him enough information that he can fix it himself or that he could get others to fix it for cheaper, but give him enough information so that he knows that there is a real risk. Maybe even give him a piece of information that, as admin, he can find out easily, but, as a normal user, you shouldn't be able to find out. Give him a very vague explanation of how you got it (i.e. there was an exploit in X script that allows such information out). Also warn him of the dangers of such exploits and what it may cost him if he doesn't get it fixed.
-
Nov 9th, 2005, 08:49 AM
#6
Re: Getting Business
I would be very wary of actually checking their system and telling them you have done this as this is into a grey area legally.
Instead say that "In my experience many companies have security holes. If you were to employ me I would test your site by [..clever stuff here..]"
-
Nov 9th, 2005, 09:20 AM
#7
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|